Bogus Emails, Scams, and Phishing
By Bob Witham, OIT Security
I am sure that you have at one time or another, received an email claiming you had won a prize, that your bank account was overdrawn, or that some horrible event was about to befall you if you did not click on the link in the email immediately. Chances are this was an example of “Phishing.” I'm pretty sure that you've heard about phishing, but just in case, I went to Webopedia ( http://www.webopedia.com ) to get a good definition of Phishing for you. They define Phishing as: “The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user's information. “
In early October, I sent a warning to OIT staff about a phishing email that had been received in the State email system. As part of that email, I pointed out some of the inconsistencies that we look for in these messages that alert us that these emails are fraudulent. I thought I'd share with you some of the methods and tools we use when we investigate emails so that you can make use of these tools to help arm yourself against fraudulent emails and other Internet scams.
Let me show you the email that was received, and then we'll look at how to analyze it.
------------------------------------------------------------------------------------------------------------------------------------------
From: Bank Of America Support Department (manager#4541@bankofamerica.com]
Sent: Friday, October 03, 2008 9:11 AM
To: robert.l.witham.jr@maine.gov
Subject: Bank of America Urgent Customer Alert: "Joomla!" Security Update.
Attention All Bank of America Customers.
Security & Fraud Protection Update.
At Bank of America, were committed to keeping your information confidential and secure, and we take that responsibility very seriously.
Our Fraud detection solution helps to protect your business against the risk of fraudulent transactions alerting you to potential risks.
We have developed the following protection tools to insure you confidentiality.
You can download the latest security pack from our Customer Service Department>>
(link to: direct.bankofamerica.usanationwide.encrypted.linkbrowse.procedure. mnebeine.com /verify.htm?/exacttrget/ptcontrol/OSL.htm?LOB=4654541619&refer=geIxrsopjmdIvl5> )
Sincerely, Tanner Middleton.
2008 Bank of America Corporation. All rights reserved.
-----------------------------------------------------------------------------------------------------------------------------------------
On the surface, it looks pretty legitimate. The email address is manager#4541@bankofamerica.com which looks reasonably legitimate. If we used that as our only proof of legitimacy however, we'd be taking a huge risk. Let's keep looking at the email. The subject line is: “Subject: Bank of America Urgent Customer Alert: "Joomla!" Security Update.” OK, hang on! What the heck is “Joomla!” and why is it in the subject line? A quick search in Google for “Joomla” gets us to a Wikipedia webpage ( http://en.wikipedia.org/wiki/Joomla !) where we learn: “Joomla! is a free open source content management system for publishing content on the World Wide Web and intranets.” Well, we found out what Joomla is, and maybe it makes sense to someone to put it in a subject line.
Continuing on, we read “Attention All Bank of America Customers.” Now wait a minute, they sent it to me, shouldn't they have been just a little more personal and said something like “Dear Mr. Witham” or “Dear Robert”, or even “Dear Robert Witham?” And another thing, now that I think of it, I don't even think I have a Bank of America account, but I've had a lot of credit cards over the years, maybe one of them was through Bank of America. That's probably it right?
Even the first line should give us reason to pause when we read: “At Bank of America, were committed…” Come on now. Surely Bank of America wouldn't make such a grammatical error as using “were” rather than “we're” or “we are” would they? Then again, maybe they were in a hurry, and we all know that spell checker wouldn't help because “were” is a perfectly legitimate word.
The errors in the message so far should be enough to make you suspicious if not downright convinced that this is bogus, But let's keep on anyhow. This is getting almost humorous. OK, so security guys have a warped sense of what is funny.
The email has a link to the security pack, so let's look at it a little closer. It starts off with direct.bankofamerica.usnationwide so that looks good. However, don't stop reading yet. You need to go all the way to the first / to get the whole name. In fact, Internet address names like this are ordered from right to left starting from the first / in the address. So, in this case, this is a COM domain, and the top level domain name, the “parent” if you will, is mnebeine.com. This is equivalent to maine.gov that we use. Well, unless there is some link between mnebeine.com and Bank of America, we may have found something that tells us this is bogus.
One way to determine who is who on the Internet is through a tool called “Whois.” A good site I use for Whois lookups is http://whois.domaintools.com/ This site will let you enter a domain name like mnebeine.com, and it will tell you who owns it. In this case, we find that the registered owner is: GOOD COMPANY. The primary contact is: Carolina Freid. Her email address is: company@yahoo.com . Her phone is 4446810777 and fax is 4446810777 . The mailing address is 777 good road, new city, FL 11003, us. Yahoo.com? I thought this was Bank of America? Phone number of 444-681-0777? If you look in your phone book for the 444 area code, you'll find out that it does not exist. Lastly, Try doing a Google map search for 777 good road, new city, FL. You'll discover there is no New City, Florida.
I think we have thoroughly busted this email as bogus. These same tips and techniques will work for you to help determine if any email you receive is legitimate or not. If you receive an email from someone you don't know, or if you are the least bit suspicious about it, you are probably better off deleting the email rather than responding or clicking on an internal link. In fact, you should be suspicious of any email with an embedded link like this. But, if you want to check out for yourself how to investigate the validity of links, you have a few tools at your disposal.
OIT Security has produced a video showing how to use the tools described above, and showing some ways you can identify fraudulent emails and other scams on the Internet. You can find the "Phishing, SPAM, and e-mail scams" video and other security tips on the Enterprise Security page at: http://inet.state.me.us/oit/services/CoreTechnology/security/index.html#training
